Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Saturday, October 03, 2009

Opinion, but I suspect this is rather widespread. Certainly I have been pushing this for several years. Plenty of examples that companies don't know where their data is and only rarely detect that it has been compromised. All of the questions raised here are being asked by customers and investors, even if the companies don't want to admit it. Does any of this help the companies legal position in the long term?

Almost a year after it was contacted by an extortionist, pharmacy benefits management company Express Scripts first learned that the extortionist was in possession of at least 700,000 more members’ personal information than they originally knew about. The company has now notified those individuals, but how many other members may also be affected? It’s time for the company to notify everyone.

Earlier this week, while reporting new details on the Express Scripts breach, I commented on a statement made by Express Scripts on their web site that the company was “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.” I noted that the statement struck me as somewhat preposterous because the company was already aware of actual misuse of the information — the extortion demand itself was actual misuse of the information.

Yesterday, a site reader alerted me to the fact that Express Scripts subsequently changed that portion of their support web site to now read:

At this time, Express Scripts has not confirmed any fraudulent misuse of member information as a result of this incident.

While I appreciate that they are no longer suggesting that there’s been no misuse, their new wording is still somewhat problematic. What does “has not confirmed any fraudulent misuse” mean? Does it mean that they have now actually received some reports of fraud or ID theft that have been attributed to the breach but that they have not confirmed as being due to the breach, or does it mean something else?

Express Scripts has not replied to an inquiry I sent them yesterday asking them to clarify what this new wording actually means. If they do, I will update this entry, but in the meantime, nagging questions remain, such as:

1. Why has Express Scripts been unable to determine how many — and whose — records were acquired by the extortionist? After diligent investigation on their part, they never discovered that 700,000 members’ records had been accessed; and

2. How many other members’ records does the extortionist also possess?

Express Scripts is certainly not the first entity to be unable to determine the full scope of a breach, but in this case, where we already have evidence of some malicious purpose, identifying all of those affected takes on added import.

We have often seen the phrase “in an abundance of caution” used in notification letters. In this case, an abundance of caution would mean notifying everyone whose data were potentially acquired. Express Scripts has not taken that approach, however. As a result, 700,000 people whose data were acquired almost a year ago are first learning that they are at risk, and we do not know how many others may also be at risk of ID theft.

In its summary of this incident, the Wisconsin Office of Privacy Protection described who’s affected as “Millions of member records to include a number of Wisconsin residents.” Based on Express Scripts’ notifications to states, that description appears to be erroneous. But then again, maybe it’s just prescient.

Given that the company is dealing with a situation in which they already have evidence that the individual is willing to misuse member data, and given the market for Social Security numbers with dates of birth and other personal information, this blogger believes that a “when in doubt, notify” approach is warranted. While I give credit to Express Scripts for not paying the extortion demands, they must certainly realize that if the extortionist cannot get money from them, it is quite possible that the data will be put up for sale. Express Scripts’ members need to know that so that they can be vigilant about their credit reports, but that will not happen if the company does not notify them that they may be at risk. Saying that they have notified those whose data they know to have been acquired strikes me as not prudent enough given their inability to determine the scope of this breach. I urge them to notify everyone whose records may have been in the database that they suspect was accessed. If ever an “abundance of caution” was in order, this is such a situation.

The personal data of tens of thousands of U.S. soldiers — including those in the Special Forces — continue to be downloaded by unauthorized computer users in countries such as China and Pakistan, despite Army assurances that it would try to fix the problem, according to a private firm that monitors cybersecurity.

Tiversa, which scours the Internet for sensitive data, discovered the data breaches while conducting research for private clients. The company found, as recently as this week, documents containing Social Security numbers, blood types, cellphone numbers, e-mail addresses, and the names of soldiers’ spouses and children.

[...]

Of particular concern to security experts is Tiversa’s discovery of personal information about soldiers in the 3rd Special Forces Group (Airborne), whose mission area is Africa.

“These guys are operating behind lines, and they are absolutely in the deepest part of the fight,” said James Mulvenon, vice president of the intelligence division at Defense Group, a security consulting firm. “The fact that the documents have the names and addresses of the families and all the pressures that could be put to bear on them, it’s a nightmare.”

Carol Darby, a spokeswoman for the Army Special Operations Command, confirmed the data breach but described it as an isolated incident. [How does the fact that it's an “isolated incident” have any bearing on the issue? Sounds like PR BS to me. Bob] She said those involved in the breach had been punished, but she did not provide details.

The company found the sensitive documents by using "peer to peer" file-sharing software, which can be easily downloaded on the Internet and which allows computer users to share music or other files

… Towns, who is drafting legislation to address the problems raised by peer-to-peer technology, said: "What is striking about these file-sharing leaks is that these aren't one-time events. Once this software is installed and files are leaked, the leaking is continuous."

Here’s a case where it sounds like sloppy security may have led to unwarranted criminal charges. Annmarie Timmins reports:

The authorities have dropped their theft and computer crime case against a former Local Government Center employee because the center’s “careless” and “sloppy” security practices would undermine any charges, according to letters obtained from the Merrimack County Attorney’s Office.

The news was a “huge relief” for Ruthanne Bradley, 47, of Concord, who was arrested just over a year ago and charged with concealing backup tapes at the center and manipulating the information on them.

The Local Government Center administers benefits plans for public employees, and its databases hold personal information about thousands of workers throughout the state. Bradley worked for the center’s information technology office.

The backup tapes, which were immediately found, unharmed and mislabeled at the center, did not contain medical or pharmacy claim information, center staff said at the time of Bradley’s arrest. Staff also said there had been no security breach.

“It’s important for me to let people know I didn’t have anything to do with this tape issue,” Bradley said yesterday. “I want everyone who read the story (a year ago) and may have judged me. . . . I want it to be known that it wasn’t me that had anything to do with this.”

In both letters, Waldron identified what he considered nine security problems, including the fact that secure areas were not locked, sensitive data was accessible by more people than necessary and that the center's software system had no way of tracking which user or computer was manipulating data

Ah, I feel so much more secure now... Too bad that travel is no longer a right...

Six years ago the federal government proposed taking over the job of comparing passenger names against the terrorist watch lists. Just this week, Southwest Airlines frequent fliers are being asked to update their profiles with name, gender and date of birth information in order to let the feds try that system out.

… Passengers who have no identification, lost it or prefer not to show it may still be able to fly after getting extra screening, but they have to be nice to airport screeners or else they won’t be allowed through the metal detectors, according to TSA policy.

(Related) One country's security is another country's pain in the neck. (One man's tourist is another man's terrorist?)

Posted by Soulskill on Saturday October 03, @09:18AM from the otherwise-the-terrists-win dept.

An anonymous reader writes

"Yesterday, Chicago lost its bid for the 2016 Olympics (which went to Rio de Janiero instead), and it's looking very likely that US border procedures were one of the main factors which knocked Chicago out of the race: 'Among the toughest questions posed to the Chicago bid team this week in Copenhagen was one that raised the issue of what kind of welcome foreigners would get from airport officials when they arrived in this country to attend the Games. Syed Shahid Ali, an I.O.C. member from Pakistan, in the question-and-answer session following Chicago's official presentation, pointed out that entering the United States can be "a rather harrowing experience." ... The exchange underscores what tourism officials here have been saying for years about the sometimes rigorous entry process for foreigners, which they see as a deterrent to tourism.'"

Posted by Soulskill on Friday October 02, @10:13PM from the involves-neither-scissors-nor-hungry-wolves dept.

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

I didn't know that “Enquiring minds want to know” was a legal argument...

It’s a decision that might make people think twice about what they post in online “reader comments” sections.

Cook County Circuit Court Judge Jeffrey Lawrence ruled the Daily Herald and Comcast must reveal the identity of a person who posted a comment on dailyherald.com directed toward the teenage son of Buffalo Grove Village Trustee Lisa Stone.

Comcast is slated to turn the person’s name over to the judge Monday, Oct. 5. Attorneys for everyone involved will then argue whether the information should be turned over to Stone.

Read the full story on Daily Herald. Apparently, when Comcast was ordered to turn over customer information, they did contact their customer:

On Sept. 25, the judge ruled that Comcast must reveal the person’s name to him. Comcast spokesman Rich Ruggiero said the company contacted the customer to notify him of the court order. He retained an attorney and filed a motion to quash Stone’s subpoena. Judge Lawrence denied the motion.

So… is it permissible to tie up the courts simply to obtain the name of an individual if you do not intend to pursue litigation for defamation? In this case, it seems that Stone may be using the legal process solely to identify the individual:

What Stone would do with the information, if she gets it, has not yet been decided, said her attorney, Bill O’Connor. She could do nothing, or she could file a lawsuit.

Image credit: Shadow of a Person by Jeremy Brooks/Flickr, used under Creative Commons License

[From the article:

The Buffalo Grove police reviewed the comments made to Stone's son along with the state's attorney's office but concluded no crime had been committed.

In May, Stone filed a petition for pre-suit discovery -- a precursor to a lawsuit -- against Paddock Publications, owner of the Daily Herald. It was shortly after Stone, a first-time political candidate, won a hotly contested village trustee election in Buffalo Grove.

In a pre-election story about a questionable campaign flier that appeared online, some negative comments about Stone were posted on the "reader comments" page. Stone's son, who was a freshman in high school at the time, went online to defend his mother. As is common practice, the commenters identified themselves only by made up "user names" rather than their real names.

After some back-and-forth bickering between Stone's son and one specific poster, Stone claims the person made "defamatory and injurious statements" toward her son. The exact comments were not part of the court record. On the advice of her attorneys, Stone declined to elaborate on what was written.

Now this would be interesting... Using technology to make the law comprehensible! What a concept!

Posted by Soulskill on Saturday October 03, @05:10AM from the they-might-actually-know-what-they're-voting-on dept.

coldmist writes

"Sen. Thomas Carper (D-Del.) is on the Senate Finance Committee, which just finished work on the health care bill. The committee recently rejected an amendment which would have required them to post the legislation for public viewing for 72 hours before it went to final vote. Several senators felt that the actual legal code would be too cryptic and complicated to be useful. Carper himself said, 'I don't expect to actually read the legislative language because reading the legislative language is among the more confusing things I've ever read in my life.' So, why don't they put it in SVN (or some similar version control system) where people can tkdiff the changes (i.e. new legislation is in a branch) or output a patchset? If a bill is passed, it's merged into the trunk. It just seems so logical to me, yet I can't find any mention of doing this on the web. What do you think?"

Posted by ScuttleMonkey on Friday October 02, @02:00PM from the what-not-to-do dept.

Techdirt points out a great postmortem for the Rocky Mountain News, a newspaper that ended up shutting down because they couldn't adapt to a world beyond print. While long, the talk (in both video and print) is incredibly candid coming from someone who lived through it and shares at least some portion of the blame.

"It seems like pretty much everything was based on looking backwards, not forward. There was little effort to figure out how to better enable a community, or any recognition that the community of people who read the paper were the organizations true main asset. ... The same game is playing out not just in newspapers, but in a number of other businesses as well. Like the Rocky Mountain News, those businesses are looking backwards and defining themselves on the wrong terms, while newer startups don't have such legacy issues to deal with."

Will eventually be an interesting saga. Chasing (harassing?) a company across boarders in order to make them an example. (Yet another judge was removed from this case for bias)

Posted by Soulskill on Saturday October 03, @12:09AM from the wonder-if-they-considered-arrrrrgentina dept.

the monolith writes

"Back in August, the company supplying bandwidth to The Pirate Bay was forced to disconnect them. Quoting TorrentFreak: '"It took just 20 minutes before the Hollywood companies telephoned the new host who took over operation of The Pirate Bay," commented Patrik from the ISP which had been indirectly supplying bandwidth to TPB. Despite initially putting on a brave face and standing strong, Patrik's company continued to feel the heat. It is not a large outfit and doesn't have the resources to fight the entertainment industry and its threats. Last night, Patrik could hold off no longer after receiving mounting threats from the entertainment industries, which culminated in threats of a court summons. Having come this far, there is little doubt that IFPI and the MPAA would litigate if necessary. ... On the heels of several rumors today, Patrik said he could confirm news of the move, saying that he believes The Pirate Bay is now hosted in Ukraine.'"

(Related) Expending resources in a futile effort to cut the “evil doer” off from the rest of the world?

Google has removed links to notorious file-sharing site The Pirate Bay in its search results.

The move is a reaction to a takedown notice issued under the United States Digital Millennium Copyright Act (DMCA). Although searches for "The Pirate Bay" still return results, all direct links to the website have been removed, including The Pirate Bay homepage.

A footnote at the bottom of the search page explains that: "In response to a complaint we received under the US Digital Millennium Copyright Act, we have removed 8 result(s) from this page."

… It's currently unclear who filed the complaint. Google's website claims complaints are published on the Chilling Effects website, but we couldn't locate the relevant notice.

Google users searching for the Pirate Bay won't have to work too hard to find the site. The top result is now The Pirate Bay's Wikipedia entry, which provides a prominent link to the site's homepage.

It's also possible to search The Pirate Bay itself using Google, by typing "site:http://thepiratebay.org" into the search bar.

Update 12pm 3 October 2009: Searches for "The Pirate Bay" are now once again linking to the site.

A Google statement given to CNet.com claims the site was removed by mistake.

There are some video portal aggregators that allow you to search multiple sites at once. Likewise, there are various sites that allow you to download videos, convert those video files and play them offline and on your computer.

ClipFinder HD combines these functions under one roof. It’s a stunningly beautiful and innovating desktop application by Ashampoo that does everything you’ve ever dreamed of, and so much more.

… What’s out of the ordinary here is that Ashampoo normally charges for their software.

… If you want to ‘unlock’ Clipfinder HD beyond the 10 day trial you initially get, just give your email address and you’ll be mailed a working serial code. You won’t need your registration ‘afterwards’, so you might want to use a disposable email account to avoid any unwanted mails.

The Identity Theft Resource Center (ITRC) has released an interim report that reveals that breaches involving paper records appear to be increasing significantly compared to last year while the number of incidents involving electronic records has not showed a similar increase.

According to a press release today, paper breaches currently account for 25% of all breaches recorded in their 2009 database whereas for all of 2008, paper breaches accounted for 17.8%. In 2008, there were 116 paper breaches for the entire year, whereas as of September 30, there have already been 99 incidents recorded.

The business sector accounts for 35 of the 99 paper breaches recorded in their database, with the financial and education sectors recording the fewest paper breaches.

Because not all states require disclosure of, or notification of, paper breaches, it is impossible to estimate how prevalent paper breaches really are or whether what appears to be an increase might simply be an artifact of increased media coverage or public awareness.

Paper data breaches may present easier opportunities for identity thieves because the information is “ready to use” and may include signatures. A number of identify theft cases prosecuted within the past year have involved the theft of mail containing personal information that was then used for fraudulent purposes.

According to ITRC, it is critical that both state and federal governments recognize and convey the importance of regulating “best practices” protocols for paper document storage and disposal. ITRC recommends that new breach laws, and amendments to current laws, take into account paper breaches in a manner similar to statutes affecting electronic data breaches.

Britain’s High Court ordered its first injunction via Twitter on Thursday, saying the social website and micro-blogging service was the best way to reach an anonymous tweeter who had been impersonating someone.

Solicitors Griffin Law sought the injunction against the micro-blog page www.twitter.com/blaneysblarney arguing it was impersonating right-wing blogger Donal Blaney, the owner of Griffin Law.

[...]

Andre Walker at Griffin Law said the anonymous tweeter targeted by the writ will get a message from the High Court the next time they open their online account.

“Whoever they are, they will be told to stop posting, to remove previous posts and to identify themselves to the High Court via a web link form,” he said.

The Government’s controversial Driver and Vehicle Licensing Agency has launched an investigation into how the car registrations of millions of motorists were sold for use by a giant oil firm.

Castrol spent hundreds of thousands of pounds on a campaign promoting its oils, using giant advertising billboards on five major routes in London.

[...]

Roadside cameras recorded number plates before flashing their registration on to screens and revealing the grade of oil recommended for use in the car’s engine.

[...]

The DVLA says it restricts the release of data chiefly to car parking enforcement companies, solicitors, finance firms and property companies – but insists that in every case the privacy of motorists is ‘properly safeguarded’.

However, the agency does sell data, including the registration number, engine size, year, make and model of individual cars, to a number of organisations, including five motor industry data providers.

This is used to ensure garages fit vehicles with the correct tyres, batteries and replacement parts. [Suggesting that manufacturers keep this information secret? Bob] But sources have admitted that in the Castrol campaign, the DVLA data was passed on by one of the five companies to a third-party contractor, which then used it in contravention of the ban on the use of registration numbers for marketing purposes.

National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."

Privacy legislation affecting the online advertising industry could be submitted by November. According to statements made recently by Rep. Rick Boucher, who heads up the House Subcommittee on Communications, Technology and the Internet, a bill with bipartisan support could be introduced before Congress adjourns for its winter holiday break.

“We are making rapid progress and hope to have a bill introduced before recess,” Boucher said in an interview with beltway pub The Hill yesterday.

“The key elements [of the legislation] are going to be that every website will have to disclose every piece of information that they collect from visitors and how that information is used by the website that collects it. And then users should have control over that process,” added Boucher in the interview. Such information should be provided in “an easy-to-locate privacy policy,” suggested the Congressman in a separate article he wrote for the same publication, published last week.

Powerful Senate leaders on Thursday bowed to FBI concerns that adding privacy protections to an expiring provision of the Patriot Act could jeopardize “ongoing” terror investigations.

The Patriot Act was adopted six weeks after the 2001 terror attacks, and greatly expanded the government’s power to intrude into the private lives of Americans in the course of anti-terror and criminal investigations. Three provisions are expiring at year’s end.

During a Senate Judiciary Committee hearing, Sen. Patrick Leahy, the committee chairman, and Sen. Dianne Feinstein (D-California) introduced last-minute changes (.pdf) that would strip away some of the privacy protections Leahy had espoused just the week before. The Vermont Democrat said his own, original proposal of last week could jeopardize ongoing terror investigations.

Read more on Threat Level. And for EFF’s perspective on the developments, see Kevin Bankston’s live blogging entry here.

[From Threat Level:

“The biggest investigation since 9/11 is ongoing,” Feinstein said. ”My concern was that nothing we do here interfere with an investigation that is going on.”

[It would be most interesting to relate the Patriot Act to details of the “Denver shuttle bus driver” as they are released. What harm would the proposed amendments have caused? Bob]

I wonder how much they were willing to pay to keep this from going to trial?

A tentative settlement has been reached in a long-running suit that alleges a former intelligence agent and a State Department official unlawfully eavesdropped on a DEA agent, potentially bringing the state secrets case to an abrupt close and sparing the Justice Department a loss on appeal.

Justice lawyers filed notices yesterday evening about the proposed settlement. The notices were filed in the U.S. Court of Appeals for the D.C. Circuit, where the case is pending, and in the U.S. District Court for the District of Columbia, where the case was filed in 1994.

… In August, Chief Judge Royce Lamberth of federal district court in D.C. ruled that the lawyers for both sides have a need to know the classified information that their clients have in their memories. Lamberth directed the Justice Department to grant security clearances to the private lawyers for the plaintiff and defendants. Click here for the opinion.

News release: "Individuals’ genetic information will have greater protections through new regulations issued today by the U.S. Departments of Health and Human Services (HHS), Labor, and the Treasury. [Specifically the IRS??? Bob] The interim final rule will help ensure that genetic information is not used adversely in determining health care coverage and will encourage more individuals to participate in genetic testing, which can help better identify and prevent certain illnesses."

"One of FASAB’s federal financial reporting objectives—the stewardship objective—includes enabling readers to determine whether future budgetary resources will likely be sufficient to sustain public services and to meet obligations as they come due...the question of the long-term fiscal sustainability of U.S. government services may be among the most important questions of our time. The Board believes that fully meeting the stewardship objective requires non-traditional approaches to complement and enrich the information from the federal government’s balance sheets and operating statements. The objective of the required reporting is not only to provide information that is useful and necessary in assessing fiscal sustainability but also to effectively communicate the information in a way that is meaningful and understandable to readers. The required reporting will include information about projected trends in the federal budget deficit or surplus and the federal debt and how these amounts relate to the national economy. Most importantly, if an excess of projected spending over projected receipts is indicated by the projections, the required reporting will explain and illustrate the likely impact of delaying action - for example, the progressive increase in the change that would be needed by (1) reducing spending, or (2) increasing receipts."

"The Department of Justice launches Justice.gov today in an effort to increase openness and transparency in government. Utilizing a variety of online tools, we will be able to share news and information, not just on our own web site, but through popular social networks Twitter, YouTube and MySpace and Facebook. The Justice presence on these social networks will allow Americans to interact with the Department in entirely new ways. The new Justice.gov has incorporated more multimedia than ever before. You’ll find a photo gallery and video library that will be regularly updated with new content from across the Department of Justice. And of course, The Justice Blog will be a hub of information for the Department."

I didn't know the government would pay me to write a textbook. (Lots of comments)

School’s back in session, and Weebly, a startup that makes it super easy to build websites using a drag-and-drop interface, is looking to capitalize on it. Today Weebly is launching a new product geared directly at educators and their students, allowing schoolchildren who may not familiar with the basics of HTML or CSS to craft their own multimedia online blogs and reports with a minimal amount of effort.

… Weebly is offering the product for free for teachers with up to 40 students, and then $1 per additional student account, purchased in packs of 10. Teachers can also sign up for Weebly Pro for $40/year, and all of the pro features extend to their students. There’s also a discount for teachers who refer each other.

As previously reported here Express Scripts recently updated their breach report on the incident from 2008 involving an extortion demand. Now Dina Wisenberg Brin of Dow Jones Newswires provides some additional details, including the statistic that Express Scripts has now sent out approximately 700,000 individual notification letters, total. The company has not revealed how many of the 700,000 notifications are due to its recently becoming aware that even more data had been acquired than they had realized. [Almost always the case. No idea why that is so. Bob]

Express Scripts spokeswoman Maria Palumbo told Dow Jones Newswires that the person who illegally obtained member records recently sent a data file to a law firm, [Hacktivism? Bob] which forwarded it to the FBI. Palumbo wouldn’t identify the law firm, other than to say it was one that had filed a lawsuit against the company.

As it has in the past, Express Scripts made a statement that it is “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.”

That statement strikes me as somewhat preposterous because the company is already aware of actual misuse of the information — the extortion demand itself represents actual misuse of the information, in my opinion.

Update: Robert McMillan of IDG News Service also reports on the latest developments in this breach, and notes that:

In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.

The report also includes statements I made to the reporter about this breach.

Update 2:Dina Wisenberg Brin has updated her story to include a few more details. Express Scripts indicates that most of the 700,000 notifications are due to the recently revealed data as only a few hundred members were notified last year. Additionally, the company notes that the data appear to be consistent with how their data looked in 2006.

(Related) “We didn't know where our records were either...” I teach my Statistics students that they should know how many people are involved in their studies. The math doesn't work well otherwise...

A hacker who wormed into a UNC Chapel Hill computer server may not have gotten access to as much information as officials originally feared.

UNC School of Medicine officials said last week that a security breach had left data related to as many as 236,000 women enrolled in a mammography study exposed, including 163,000 social security numbers.

But now school officials say the number of exposed files is actually about 160,000 total, including about 114,000 social security numbers, said Stephanie Crayton, a UNC Health Care spokeswoman.

This week, UNC was also informed by DataBreaches.net that the UNC School of Journalism and Mass Communication server appeared to have been infected and was serving up spam. In that case, the compromise appeared to be due to a known WordPress vulnerability affecting older versions of WordPress.

The inspector general of the National Archives and Records Administration is investigating a potential data breach of tens of million of records about U.S. military veterans, after the agency sent a defective hard drive back to its vendor for repair and recycling without first destroying the data. [It's hard to 'erase' data if the drive won't let you talk to it. Bob]

As I mentioned yesterday, e-crooks are becoming more sophisticated. (not to be confused with smarter)

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm’s customers in a scheme to steal passwords and other information.

[...]

Unlike typical so-called “phishing” scams — which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution — this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient’s onlineemployer.com user name and a portion of his or her password for the site.

In a statement e-mailed to Security Fix, PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords.

Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.

The identity crimes report, which was commissioned by credit company Veda Advantage and conducted by Galaxy Research, found more than 1.5 million people’s credit cards had been skimmed and 1.2 million people’s bank accounts were illegally accessed.

Many more people’s mail containing PINs and other information that can be used to create a false identity was stolen.

ID fraud in Australia is up at least 23per cent this year compared with a year ago and experts believe it is because Australia has been slow in deploying anti-fraud technology.

Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that a corporation (AT&T) was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.”

Over on Courthouse News, Tim Hull reports that an advertising firm and Toyota are being sued because an advertising campaign terrorized an email recipient:

A woman says a “terror marketing” campaign that Saatchi & Saatchi created for Toyota made her believe a drunken English soccer hooligan with a pit bull would show up at her home expecting to crash on her couch. She says the defendants sent her a series of anonymous emails in which a fictional man claimed he knew her address and planned to “lay low at your place for a bit. Till it all blows over. Bringing Trigger.”

Amber Duik says she was terrorized by the “nontraditional promotion” called “The Other You.” In her Superior Court complaint, Duik says the anonymous series of emails left her “constantly in tears and shaking and sobbing in emotional distress” during the entire month of April 2008.

[...]

Eventually an actor in the “movie” revealed that the entire ordeal was a hoax, and that Duik had been “punked” by Toyota as part of a marketing campaign for its Matrix automobile.

Duik says she was so terrified by the emails that her boyfriend began sleeping with a club and Mace. She says she was convinced that “a violent criminal on the run from the police both in England and the United States” was making his way down the California coast to her home.

The "terror marketing campaign" consisted of a series of emails that purported to come from Sebastian Bowler, a fictional 25-year-old man, created by Saatchi & Saatchi, who loves soccer, drinking, and getting into trouble (www.myspace.com/bowlerbowler).

Posted by timothy on Wednesday September 30, @03:18PM from the would-love-to-see-the-install-prompt-for-this dept.

itwbennett writes

"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

Speaking of Big Brother tools... An easy “It's for the children” sell, but some real risk of “thought police”

… Now, a group of researchers at Harvard University has created the first computer model to automatically detect the risk that a patient is being abused at home. The results were published Sept. 29 in the British Medical Journal.

“It’s a great concept,” said Debra Houry, an emergency physician at Emory University, who was not involved in the research. Although around one in four women experience domestic violence at some point in their lives, she says, the problem often goes unnoticed at a doctor’s visit. “It’s one of those hidden epidemics where they don’t come up to you and disclose the issue.”

… Using the new system, the researchers were able to predict abuse an average of two years before the doctor made the diagnosis. Presumably, the computer is picking up signs of ongoing maltreatment the patient hasn’t yet revealed.

The researchers also speculate that, in principle, some subtle signal could precede direct abuse. [“You are under arrest citizen for contemplating abusing your spouse.” Bob]

Redefining “Large Datacenter” Also some tips for my Business Continuity class.

… But on Wednesday, the company allowed a group of reporters, customers, and partners to tour the 700,000 square foot facility.

… But, for all its strategic import, the ground floor of the Chicago plant looks more like a truck parking lot than a traditional data center. In each parking spot, though, Microsoft can drop off a container packed with up to 2,000 servers.

Posted by timothy on Wednesday September 30, @04:55PM from the where's-the-good-silverware dept.

An anonymous reader writes

"Google maps are getting extended indoors next month with a new app called Micello that takes over where conventional navigators leave off — mapping your route inside of buildings, malls, convention centers and other points of interest. You don't get a 'you are here' blinking dot yet — but they do promise to add one next year using WiFi triangulation. At the introduction next month, Micello will only work in California, but they plan to expand to other major US cities during 2010."

Posted by CmdrTaco on Thursday October 01, @09:30AM from the still-can't-see-through-pants dept.

KentuckyFC writes

"The way radio signals vary in a wireless network can reveal the movement of people behind closed doors, say researchers who have developed a technique called variance-based radio tomographic imaging which processes wireless signals to peer through walls. They've tested the idea with a 34-node wireless network using the IEEE 802.15.4 wireless protocol (the personal area network protocol employed by home automation services such as ZigBee). The researchers say that such a network could be easily distributed by the police or military wanting to determine what's going on inside a building. But such a network, which uses cheap off-the-shelf components, might also be easily deployed by your neighbor or anybody else wanting to monitor movements in your home."

National Archives and Footnote.com Announce New Digital Holocaust Collection

News release: "The National Archives and Records Administration and Footnote.com announced the release of the internet’s largest Interactive Holocaust Collection. For the first time ever, over one million Holocaust-related records – including millions of names and 26,000 photos from the National Archives – will be available online. The collection can be viewed at: http://www.footnote.com/holocaust...The collection also includes nearly 600 interactive personal accounts of those who survived or perished in the Holocaust provided by the U.S. Holocaust Memorial Museum. The project incorporates social networking tools that enable visitors to search for names and add photos, comments and stories, share their insights, and create pages to highlight their discoveries. There will be no charge to access and contribute to these personal pages."

Posted by samzenpus on Wednesday September 30, @10:13PM from the start-the-mutations dept.

An anonymous reader writes

"A NASA probe found that cosmic ray intensities in 2009 had increased by almost 20 percent beyond anything seen in the past 50 years. Such cosmic rays arise from distant supernova explosions and consist mostly of protons and heavier subatomic particles — just one cosmic ray could disable unlucky satellites or even put a mission to Mars in jeopardy."

News release: "The Central Intelligence Agency is launching The Center on Climate Change and National Security as the focal point for its work on the subject. The Center is a small unit led by senior specialists from the Directorate of Intelligence and the Directorate of Science and Technology. Its charter is not the science of climate change, but the national security impact of phenomena such as desertification, rising sea levels, population shifts, and heightened competition for natural resources. The Center will provide support to American policymakers as they negotiate, implement, and verify international agreements on environmental issues. That is something the CIA has done for years."

Posted by timothy on Wednesday September 30, @02:12PM from the for-the-journal-of-sensors-and-transducers dept.

cremeglace writes

"Scientists at the University of Colorado at Boulder have found a use for GPS besides finding restaurants or the occasional road-that-doesn't-exist: it can be used to measure snow depth. The new technique, which takes advantage of distortions of the GPS signal after it reflects off the snowpack, may potentially improve weather forecasts by allowing meteorologists to track snowfall patterns. ScienceNOW has the story, which one geophysicist describes as 'a classical case of one person's noise becoming another person's signal.'"

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

… The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. [That statement is a bit broader than the facts suggest. Bob]

… The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

There has to be a “provable damage” requirement before the fund pays anything. I'll have to research this a bit.

Governor M. Jodi Rell announced a new law [An Act Concerning Consumer Privacy and Identity Theft] which increases criminal penalties for identity theft and establishes a fund from forfeited assets to help individuals whose identity has been stolen will become effective on October 1st.

[...]

The legislation makes numerous changes in existing laws relating to identity theft, misuse of Social Security Numbers or other personal identifying information. The law also includes tougher penalties for those convicted of victimizing senior citizens. [Was AARP lobbying for this? Bob] A suspect now faces first-degree identity theft charges – a class B felony – for victimizing anyone older than 60 and stealing assets and valuables over $5,000. The law lowers the theft threshold for a first-degree offense from $10,000.

The legislation broadens the definition of identity theft, increases penalties for criminal impersonation and creates the crime of unlawful possession of personal access devices, such as card readers or scanners, account numbers, personal identification numbers or PIN number and telecommunications service.

Two B.C. people who are victims of identity theft are speaking out in frustration with the justice system.

Mark Gorst and Shannon Werry have ample evidence indicating who the thief is, but even so, RCMP have told them charges won’t be laid.

“It’s frustrating … and there is a lot of anger,” said Werry. “Because you know who it is — and you have the proof that you need — and nothing happens.”

“I didn’t know most of the money was stolen — until two years afterward,” said Gorst. “We’ve been told — because it’s been such a time delay — the statute of limitations on certain crimes means I am on the hook for everything.”

"[Identity theft and fraud] is a level of crime that you don't know about until you know about it [Sounds very “Yogi Berra-like” Bob] — which is sometimes too late for legal boundaries," explained Cpl. Lea-Anne Dunlop of the Chilliwack RCMP.

If more than a year has passed since the initial crime, she said, the bar to get charges approved by the Crown is higher.

The Federal Bureau of Investigation has released a heavily censored version of its controversial Domestic Investigations and Operations Guidelines (DIOG), which became effective on December 1, 2008.

… The 258-page document implements the Attorney General’s Guidelines for Domestic FBI Operations, the most recent version of which was issued late last year by former Attorney General Michael B. Mukasey.

… The Mukasey guidelines, among other things, gave the FBI the authority to open investigative “assessments” of any American without any factual predicate or suspicion. Such “assessments” allow the use of intrusive techniques to surreptitiously collect information on people suspected of no wrongdoing and no connection with any foreign entity. These inquiries may include the collection of information from online sources and commercial databases, and the use of grand jury subpoenas to obtain telephone and email subscriber information.

Jennifer Granick of EFF has a commentary on a recent decision out of Massachusetts discussed here previously.

The Supreme Court of Massachusetts recently held that officers may not place GPS tracking devices on cars without first getting a warrant. The case, Commonwealth v. Connolly, was decided under the state corollary to the Fourth Amendment, and its reasoning may influence pending GPS tracking cases, including United States v. Jones, where EFF is an amicus.

EFF has urged a U.S. appeals court to reject government claims that federal agents have an unfettered right to install Global Positioning System (GPS) location-tracking devices on anyone's car without a warrant.

What would be better than a mandatory security law that banks would find plenty of loopholes in? This has got to be terrifying!

Computer criminals could wind up costing Danish banks billions if a law requiring them to compensate small businesses on an equal footing with private account holders is passed.

The Commerce Ministry has asked the Financial Supervisory Authority to look into whether companies with less than 10 employees and annual turnover of less than 15 million kroner should be issued a guarantee that they will be compensated if their accounts are hacked into.

Currently, banks are required to compensate private account holders everything but a 1200 kroner deduction if their accounts are hacked. The new law would issue the same guarantee to small businesses and would encompass 90 percent of the country’s companies.

One would expect crime to grow and mature slightly behind the growth curve of the industry itself. It was unlikely that thieves would steal the first (first thousand) automobiles, but eventually the volume made it easier and safer – eventually joining prostitution and gambling as a “business unit” of organized crime.

"This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

(Related) Coming soon to a bank near you! We should expect malware to be more sophisticated than early versions of VisiCalc, after all that was written more than 25 years ago. This looks like an automated stock trading program (also decades old) that initiates transactions based on readily available data.

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview on Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Exlorer 6, IE7, IE8 and Opera, and it is different from previous reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including a malicious Javascript or Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targets customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the trojan software sitting infected PCs.

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.

But reader CWmike notes that Symantec is trash-talking Microsoft's free offering. Jens Meggers, Symantec's vice president of engineering, dismissed MSE as a "poor product" that will "never be up to snuff." Meggers added, "Microsoft has a really bad track record in security." The GM of Trend Micro's consumer division sniffed, "It's better to use something than to use nothing, but you get what you pay for."

“We'll only use DNA for identification, like fingerprints” “We're not prejudiced, but we ain't allowing no WOGs into the country!”

Posted by kdawson on Wednesday September 30, @03:27AM from the genetic-papers-please dept.

cremeglace writes

"Scientists are dismayed and outraged at a new project by the UK border agency to test DNA, hair, and nails to determine the nationality of asylum seekers and help decide if they can enter the UK. 'Horrifying,' 'naive,' and 'flawed' are among the words geneticists and isotope specialists have used to describe the 'Human Provenance pilot project.' The methods being used to determine ancestry include fingerprinting of mitochondrial DNA and isotope analysis of hair and nails. ScienceInsider blog notes that it is 'not clear who is conducting the DNA and isotope analyses [That would be the Klass Kategorizing KO-OP –ticker symbol KKK Bob] for the Border Agency,' and that the agency has not 'cited any scientific papers that validate its DNA and isotope methods.' There is also a followup post with more information on the tests that are being used, and some reactions from experts in genetic forensic analysis. This story was first reported in The Observer on Sunday."

Hackers! We need a free iPhone app that everyone will want/need to install. Viagra Marketers: Have we got a deal for you!

Posted by kdawson on Tuesday September 29, @04:58PM from the how-about-never-is-never-good-for-you dept.

TechnologyResource writes

"When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."

Posted by kdawson on Tuesday September 29, @03:22PM from the happy-bloomsday dept.

pickens writes

"In a victory for Fair Use, Stanford Law School's Fair Use Project has announced that the estate of 20th century literary giant James Joyce, author of the landmark novel Ulysses, has agreed to pay $240,000 in attorneys' fees to Stanford University Consulting Professor Carol Shloss and her counsel in connection with Shloss's lawsuit to establish her right to use copyrighted material in her scholarship on the literary work of James Joyce. When Shloss used copyrighted materials in her biography of Joyce's daughter Lucia, titled Lucia Joyce: To Dance in the Wake, she had to excise a substantial amount of source material from the book in response to threats from the Joyce Estate. However following publication of the book, Shloss sued the Estate to establish her right to publish the excised material. The parties reached a settlement regarding the issue in 2007, permitting the publication of the copyrighted material in the US. Following the settlement, Shloss asked the Court to order the Estate to pay attorneys' fees of more than $400,000. She has now agreed to accept an immediate payment of $240,000 in return for the dismissal of the Estate's appeal. 'This case shows there are solutions to the problem Carol Shloss faced other than simple capitulation,' says Fair Use Project Executive Director Anthony Falzone, who led the litigation team."

Only lawyers understand copyright law, and they can't explain it to juries.

Posted by Soulskill on Wednesday September 30, @08:50AM from the courts-just-like-making-work-for-themselves dept.

some_guy_88 writes

"The $338 million verdict against Microsoft for violating a patent held by Uniloc has now been overturned. 'Ric Richardson ... is the founder of Uniloc, which sued Microsoft in 2003 for violating its patent relating to technology designed to deter software piracy. The company alleged Microsoft earned billions of dollars by using the technology in its Windows XP and Office programs. In April, a Rhode Island jury found Microsoft had violated the patent and told Microsoft to pay the company $388 million, one of the largest patent jury awards in US history. But on Tuesday ... US District Judge William Smith "vacated" the jury's verdict and ruled in favor of Microsoft.' In his ruling, Smith said the jury 'lacked a grasp of the issues before it [perhaps there can't be a jury of peers in Copyright litigation? Bob] and reached a finding without a legally sufficient basis (PDF).'"

Posted by timothy on Tuesday September 29, @01:09PM from the just-put-something-on-youtube dept.

An anonymous reader writes

"I am an artist working with 3d software to create animations and digital prints. For now my work just gets put on screening DVDs and BluRays and the original .mov and 3d files get backed up. But museums and big art collectors do want to purchase these animations. However as we all know archival DVDs are not really archival. So I want to ask the Slashdot readers, what can I give to the museum when they acquire my digital work for their collection so that it can last and be seen long after I am dead? No other artist or institution I know of have come up with any real solution to this issue yet, so I thought Slashdot readers may have an idea. These editions can be sold for a large amount of money, so it doesn't have to be a cheap solution."

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.